Re: [secdir] secdir review of draft-cheshire-dnsext-nbp-09.txt

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Fri, 03 December 2010 17:13 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C441928C188; Fri, 3 Dec 2010 09:13:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.115
X-Spam-Level:
X-Spam-Status: No, score=-103.115 tagged_above=-999 required=5 tests=[AWL=0.134, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vN11VgepLAmt; Fri, 3 Dec 2010 09:13:47 -0800 (PST)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id 164B428C104; Fri, 3 Dec 2010 09:13:43 -0800 (PST)
Received: from localhost (demetrius1.jacobs-university.de [212.201.44.46]) by hermes.jacobs-university.de (Postfix) with ESMTP id 8B62CC0015; Fri, 3 Dec 2010 18:15:00 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius1.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id yP++TDHCNA4y; Fri, 3 Dec 2010 18:15:00 +0100 (CET)
Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id BA232C0002; Fri, 3 Dec 2010 18:14:50 +0100 (CET)
Received: by elstar.local (Postfix, from userid 501) id 4D2DB15DD071; Fri, 3 Dec 2010 18:14:49 +0100 (CET)
Date: Fri, 3 Dec 2010 18:14:49 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Stuart Cheshire <cheshire@apple.com>
Message-ID: <20101203171449.GA2863@elstar.local>
Mail-Followup-To: Stuart Cheshire <cheshire@apple.com>, IESG <iesg@ietf.org>, secdir@ietf.org
References: <20101101094624.GC29846@elstar.local> <22E7725B-417F-4944-A0B4-844A237385EF@apple.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <22E7725B-417F-4944-A0B4-844A237385EF@apple.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-cheshire-dnsext-nbp-09.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Dec 2010 17:13:48 -0000

On Wed, Dec 01, 2010 at 08:54:36AM -0800, Stuart Cheshire wrote:
> On 1 Nov 2010, at 2:46, Juergen Schoenwaelder wrote:
> 
> > I have reviewed this document as part of the security directorate's
> > ongoing effort to review all IETF documents being processed by the
> > IESG.  These comments were written primarily for the benefit of the
> > security area directors.  Document editors and WG chairs should treat
> > these comments just like any other last call comments.
> > 
> > The informational draft discusses requirements for a IP replacement of
> > AppleTalk's Name Binding Protocol (NBP). As an individual submission,
> > there is likely little value in commenting on the content. However, I
> > would have appreciated if the authors would have discussed security as
> > a requirement for an NBP replacement. I know that flexible discovery
> > is often pretty much as odd with security, having "security measures
> > appropriate to the environment in which" an NBP replacement "will be
> > used" could have been an explicit requirement.
> 
> Can you propose some specific text you would like to see in the document?

My request is essentially to move the text currently in the security
considerations into section 3 where requirements for a replacement of
NBP are discussed. For example:

3.15 Security Requirements

   The AppleTalk Name Binding Protocol was developed in an era where
   little consideration was given to security issues. In today's world
   this would no longer be appropriate. Any modern replacement for
   AppleTalk NBP should have security measures appropriate to the
   environment in which it will be used.

The security considerations section then becomes this:

6. Security Considerations

   Security requirements for a replacement of the AppleTalk Name
   Binding Protocol are discussed in Section 3.15. Given that this
   document is a broad historical overview of how AppleTalk NBP
   worked, and does not specify any new protocol(s), detailed
   discussion of possible network environments, what protocols would
   be appropriate in each, and what security measures would be
   expected of each such protocol, is beyond the scope of this
   document.

Now that I look at this again, I also think that section 5 "IPv6
Considerations" is kind of mis-placed. It seems that section 5 should
also be a subsection of section 3 since it is establishing just
another requirement.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>